This Privacy Policy explains how Tabularum Inc. ("Tabularum", "we", "our") collects, uses, stores, and protects personal data in connection with our private capital markets platform, in accordance with the Singapore Personal Data Protection Act 2012 ("PDPA"), MAS Notice 626, and the Securities and Futures Act (Cap. 289). It applies to all Singapore-based users, including General Partners (GPs), Limited Partners (LPs), and their authorised representatives.
Tabularum Inc. is the organisation responsible for the collection, use, and disclosure of your personal data under the PDPA. We have appointed a Data Protection Officer (DPO) as required under Section 11(3) of the PDPA. Contact our DPO at gaio@tabularum.com (subject: PDPA Request) for any data protection enquiry or to exercise your rights. You may also contact the Personal Data Protection Commission (PDPC) of Singapore.
Identity & KYC Verification: Full legal name, NRIC/FIN/passport number, date of birth, nationality, government-issued ID, proof of address, beneficial ownership information, source of funds and wealth documentation, and investor categorisation under SFA Section 4A.
Account Data: Email address, phone number, professional title, hashed credentials, Tabularum Identity Number (TIN).
Financial & Investment Data: Capital commitments, subscription agreements, side letters, capital call and distribution records, portfolio data, NAV, and bank details where provided.
Platform Usage: Access logs, document view records, immutable audit trail entries, IP address, browser type, and session data (security only).
Communications: Messages and notices exchanged through the Platform.
Consent (Section 13): We collect, use, and disclose personal data with your consent, which may be express or deemed under Sections 14 and 15 of the PDPA.
Contractual Necessity (Section 17): Processing necessary to provide Platform services under the Terms of Service.
Legal Obligation: Compliance with MAS Notice 626, the SFA, CDSA, TSOFA, and other applicable Singapore legislation.
Legitimate Interests (Section 17A): Security monitoring, fraud prevention, Platform integrity, and immutable audit log maintenance, where not overridden by your interests. This applies following the 2020 PDPA amendments introducing the legitimate interests exception.
Business Improvement (Section 17B): We may use personal data for the purpose of improving our services in accordance with the business improvement exception under the PDPA 2020 amendments.
We use personal data to: onboard and verify identity (KYC under MAS Notice 626); assign and maintain your TIN; facilitate GP-LP transaction management; issue capital calls and notices; fulfil SFA investor categorisation obligations; maintain regulatory reporting records; detect and prevent fraud; comply with Singapore sanctions screening obligations; maintain immutable audit trails; and respond to regulatory enquiries from MAS, STRO, or other Singapore authorities.
We do not sell, rent, or trade personal data. We share only as follows: (a) within the Platform between GPs and LPs as necessary for Transactions; (b) with MAS, STRO, Singapore Police Force, or other regulators pursuant to binding legal obligation under the SFA, CDSA, or TSOFA; (c) with third-party data intermediaries exclusively under contractual data protection obligations consistent with the PDPA; and (d) where required by a binding order of the Singapore courts.
Transfers of personal data outside Singapore are conducted solely in compliance with the Transfer Limitation Obligation under Part VIA of the PDPA and the Personal Data Protection Regulations 2021. We ensure that the recipient country or territory provides a comparable standard of data protection, or that binding contractual obligations are in place to protect your data to a standard comparable to the PDPA. You may request details of applicable transfer safeguards by contacting gaio@tabularum.com.
We retain data only as long as required by law or necessary for the purposes collected: KYC/AML records — 5 years from end of relationship (MAS Notice 626, Paragraph 11); SFA transaction and order records — 5 years; platform security logs — 12 months; communications — duration of relationship plus 5 years. After retention periods expire, data is securely and irreversibly deleted or anonymised in accordance with the PDPA Retention Limitation Obligation (Section 25).
To exercise any right, contact gaio@tabularum.com. We will respond within 30 business days as required by the PDPA. A reasonable fee may apply for access requests involving substantial effort. You may lodge a complaint with the Personal Data Protection Commission (PDPC) at any time.
We implement appropriate technical and organisational measures under the PDPA Protection Obligation (Section 24), including: AES-256 encryption at rest; TLS 1.3 in transit; role-based access controls; multi-factor authentication; immutable timestamped audit logs; regular penetration testing and vulnerability assessments; and data minimisation practices. In the event of a data breach that is notifiable under the PDPA (Section 26C), we will notify the PDPC within 3 calendar days of assessing the breach to be notifiable, and affected individuals as soon as practicable.
We use only strictly necessary session cookies for authentication and security. We do not use advertising cookies, third-party tracking pixels, analytics resale, or cross-site tracking. Our cookie practices are compliant with the PDPA and MAS Technology Risk Management Guidelines.
We retain personal data to fulfil MAS record-keeping obligations under the SFA and applicable MAS Notices, including: investor categorisation records under SFA Section 4A; suitability assessment records; transaction records for a minimum of five (5) years; and AML/CFT compliance records under MAS Notice 626. These records are maintained in an immutable, non-alterable format and are accessible to MAS on request.
We collect and retain KYC data as required by MAS Notice 626 (Prevention of Money Laundering and Countering the Financing of Terrorism), the CDSA, and the TSOFA. Beneficial ownership information is collected and verified and retained for five (5) years from the end of the business relationship. We are legally obligated to file Suspicious Transaction Reports (STRs) with the Suspicious Transaction Reporting Office (STRO) where we have reasonable grounds to suspect money laundering or terrorist financing. We cannot notify you if an STR has been filed, as this would constitute "tipping off" under the CDSA.
Our Platform is not directed at individuals under 18. If you believe we have inadvertently collected data from a minor, contact us immediately at gaio@tabularum.com. We will delete such data without delay in accordance with the PDPA.
Material changes to this Policy will be communicated by email at least 30 days before taking effect. This Policy is governed by the laws of the Republic of Singapore. You retain the right to lodge a complaint with the Personal Data Protection Commission (PDPC) at any time.